Artrellion · Policy · Carbon & Climate · Release Arsenal · Stakeholders · Contact
ArtrellionAdvocacy Infrastructure for the Data-Driven Era
Home / Carbon & Climate / Stakeholders / Verification Bodies (VVBs) / DNV / Audit Trail Documentation

DNV Audit Trail Documentation — Verification Chain of Custody

Prepared for DNV. Audit Trail Documentation. Draft in review.

DNV Audit Trail Documentation — Verification Chain of Custody

Purpose

This document outlines the compliance requirements and procedures for the DNV verification bodies concerning the audit trail from sensor measurement through verification to credit issuance. The focus is on ensuring a robust chain of custody, data integrity, timestamp verification, tamper detection, and audit log format as specified by DNV standards.

Table of Contents

  1. [Chain of Custody](#chain-of-custody)
  2. [Data Integrity](#data-integrity)
  3. [Timestamp Verification](#timestamp-verification)
  4. [Tamper Detection](#tamper-detection)
  5. [Audit Log Format](#audit-log-format)
  6. [Conformity Assessment Procedures](#conformity-assessment-procedures)
  7. [References](#references)

Chain of Custody

The chain of custody is a critical component in ensuring the integrity of the data collected from sensors to the issuance of carbon credits. The following requirements shall be adhered to:

1.1 Data Flow Mapping

The data flow must be mapped from the point of sensor data acquisition to the final credit issuance. The mapping shall include the following components:

  • Sensor ID: Unique identifier for each IoT sensor.
  • Data Acquisition Timestamp: ISO 8601 formatted timestamp (e.g., 2023-10-01T12:00:00Z).
  • Data Type: Type of data collected (e.g., CO2 concentration, temperature).
  • Data Value: Actual measurement value.
  • Data Processing Steps: List of algorithms applied to the raw data.
  • Verification Status: Status of the data (e.g., Pending, Verified, Rejected).
  • Credit Issuance ID: Unique identifier for the carbon credit issued.

1.2 Data Transmission Protocol

All data transmissions shall utilize secure protocols (e.g., HTTPS, MQTT with TLS) to ensure data confidentiality and integrity during transit.

1.3 Data Storage Requirements

Data shall be stored in a secure, tamper-evident database. The following data formats shall be used:

  • JSON for raw sensor data.
  • XML for processed data reports.
  • CSV for audit logs.

1.4 Chain of Custody Documentation

Documentation must include:

  • A detailed log of each data acquisition event.
  • Records of any data modifications, including timestamps and user IDs of personnel making changes.
  • Evidence of verification steps, including reviewer comments and approval timestamps.

Data Integrity

To ensure data integrity, the following measures shall be implemented:

2.1 Data Validation

  • Input Validation: All incoming data shall be validated against predefined formats and ranges.
  • Output Validation: Generated reports must undergo validation to ensure accuracy.

2.2 Checksums

A checksum (e.g., SHA-256) shall be generated for each data record upon creation and verified upon retrieval to ensure data has not been altered.

2.3 Data Backup

Regular backups of the data must be performed according to the following schedule:

  • Daily incremental backups.
  • Weekly full backups.

Backup data shall be stored in a separate, secure location.

Timestamp Verification

Timestamps are crucial for maintaining the integrity of the audit trail. The following requirements shall be adhered to:

3.1 Timestamp Format

All timestamps must be recorded in ISO 8601 format. Example: 2023-10-01T12:00:00Z.

3.2 Synchronization

All sensors and servers shall synchronize their clocks with a reliable time source (e.g., NTP servers) to ensure uniformity in timestamping.

3.3 Timestamp Auditing

Audit trails must include:

  • Creation timestamps for each record.
  • Modification timestamps for any changes made to existing records.
  • Verification timestamps marking when the data was verified.

Tamper Detection

To detect any unauthorized alterations to data, the following mechanisms shall be implemented:

4.1 Tamper-Evident Storage

Data storage solutions must be tamper-evident, employing cryptographic techniques to alert stakeholders of any unauthorized changes.

4.2 Access Control

Access to data shall be restricted based on user roles. The following roles must be defined:

  • Data Collector: Limited to data input.
  • Data Processor: Can modify and process data.
  • Verifier: Can review and approve data.
  • Auditor: Can view all records without modification rights.

4.3 Anomaly Detection

Automated systems shall be implemented to monitor for anomalies in data patterns that could indicate tampering. Alerts must be generated for any detected anomalies.

Audit Log Format

Audit logs shall be maintained in a structured format to facilitate easy review and compliance checks. The following specifications shall be adhered to:

5.1 Log Structure

Each entry in the audit log shall contain the following fields:

  • Timestamp: ISO 8601 format.
  • User ID: Identifier of the user performing the action.
  • Action Type: Type of action performed (e.g., CREATE, UPDATE, DELETE).
  • Record ID: Identifier of the record affected.
  • Previous Value: Value before modification (if applicable).
  • New Value: Value after modification (if applicable).
  • IP Address: IP address of the user performing the action.

5.2 Log Retention

Audit logs shall be retained for a minimum of 10 years to comply with regulatory requirements. Logs must be securely stored and protected against unauthorized access.

Conformity Assessment Procedures

The following procedures shall be followed to ensure compliance with DNV standards:

6.1 Internal Audits

Regular internal audits shall be conducted bi-annually to assess compliance with this documentation. Audit procedures shall include:

  • Verification of data flow mapping.
  • Review of data integrity measures.
  • Examination of timestamp accuracy.
  • Assessment of tamper detection mechanisms.

6.2 External Audits

An external audit shall be conducted annually by a certified third-party auditor. The auditor shall verify:

  • Compliance with DNV standards.
  • Effectiveness of the implemented controls.
  • Recommendations for improvements.

6.3 Corrective Actions

Any non-compliance identified during audits shall be documented, and corrective actions must be taken within 30 days. A follow-up audit shall be conducted to ensure compliance.

References

  • ISO 14064-3: Greenhouse gases — Part 3: Specification with guidance for the validation and verification of greenhouse gas assertions.
  • ISO 27001: Information security management systems — Requirements.
  • DNV GL Standards for Verification Bodies.

---

This document serves as a comprehensive guide to the requirements and procedures necessary for maintaining a robust verification chain of custody in compliance with DNV standards. All stakeholders involved in the data collection, processing, verification, and credit issuance processes must adhere strictly to these guidelines to ensure the integrity and reliability of carbon market operations.

Organisation
DNV
Category
Verification Bodies (VVBs)
Doc type
Audit Trail Documentation
Word count
995

The co-dependence network

Trellison Institute

Research and methodology.

Carbon capture research →

Artrellion

Policy and stakeholder engagement.

Carbon release arsenal →

LedgerWell

Operational verification.

Carbon business cases →

Disclosure: Draft document prepared for Artrellion stakeholder engagement. Transmittal requires governance approval and recipient-specific customisation.

← DNV · All stakeholders